diff --git a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.19-nightly-x86.yaml b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.19-nightly-x86.yaml index 2e79d242fd746..28b8197ede2fc 100644 --- a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.19-nightly-x86.yaml +++ b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.19-nightly-x86.yaml @@ -307,7 +307,6 @@ tests: - chain: openshift-qe-control-plane workflow: openshift-qe-installer-aws-ovn-ipsec - as: data-path-ipsec-9nodes - cron: 0 2 8,22 * * steps: allow_skip_on_success: true cluster_profile: aws-perfscale-qe diff --git a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.20-nightly-x86.yaml b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.20-nightly-x86.yaml index 43e26a8e7e866..602e2b3999b39 100644 --- a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.20-nightly-x86.yaml +++ b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.20-nightly-x86.yaml @@ -313,7 +313,6 @@ tests: - chain: openshift-qe-control-plane workflow: openshift-qe-installer-aws-ovn-ipsec - as: data-path-ipsec-9nodes - cron: 0 2 8,22 * * steps: allow_skip_on_success: true cluster_profile: aws-perfscale-qe diff --git a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.21-nightly-x86.yaml b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.21-nightly-x86.yaml index 1045e42e8c753..119e764fe6899 100644 --- a/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.21-nightly-x86.yaml +++ b/ci-operator/config/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main__aws-4.21-nightly-x86.yaml @@ -213,7 +213,7 @@ tests: SET_ENV_BY_PLATFORM: custom ZONES_COUNT: "3" test: - - ref: openshift-qe-workers-scale + - ref: openshift-qe-network-perf-ipsec - ref: openshift-qe-perfscale-aws-data-path-sg - chain: openshift-qe-data-path-tests workflow: openshift-qe-installer-aws @@ -295,7 +295,6 @@ tests: - chain: openshift-qe-control-plane workflow: openshift-qe-installer-aws-ovn-ipsec - as: data-path-ipsec-9nodes - cron: 0 2 8,22 * * steps: allow_skip_on_success: true cluster_profile: aws-perfscale-qe @@ -309,7 +308,7 @@ tests: TOLERANCE: "200" ZONES_COUNT: "3" test: - - ref: openshift-qe-workers-scale + - ref: openshift-qe-network-perf-ipsec - ref: openshift-qe-perfscale-aws-data-path-sg - chain: openshift-qe-data-path-tests workflow: openshift-qe-installer-aws-ovn-ipsec diff --git a/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml b/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml index 63bd375b44036..5a7020f87861c 100644 --- a/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml +++ b/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-periodics.yaml @@ -1878,92 +1878,6 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator -- agent: kubernetes - cluster: build09 - cron: 0 2 8,22 * * - decorate: true - decoration_config: - skip_cloning: true - extra_refs: - - base_ref: main - org: openshift-eng - repo: ocp-qe-perfscale-ci - labels: - ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe - ci-operator.openshift.io/variant: aws-4.19-nightly-x86 - ci.openshift.io/generator: prowgen - job-release: "4.19" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.19-nightly-x86-data-path-ipsec-9nodes - reporter_config: - slack: - channel: '#ocp-qe-scale-ci-results' - job_states_to_report: - - success - - failure - - error - report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}* - ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :white_check_mark: - {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View - logs> :warning: {{end}}' - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=data-path-ipsec-9nodes - - --variant=aws-4.19-nightly-x86 - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 0 24 * * @@ -3598,92 +3512,6 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator -- agent: kubernetes - cluster: build09 - cron: 0 2 8,22 * * - decorate: true - decoration_config: - skip_cloning: true - extra_refs: - - base_ref: main - org: openshift-eng - repo: ocp-qe-perfscale-ci - labels: - ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe - ci-operator.openshift.io/variant: aws-4.20-nightly-x86 - ci.openshift.io/generator: prowgen - job-release: "4.20" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.20-nightly-x86-data-path-ipsec-9nodes - reporter_config: - slack: - channel: '#ocp-qe-scale-ci-results' - job_states_to_report: - - success - - failure - - error - report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}* - ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :white_check_mark: - {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View - logs> :warning: {{end}}' - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=data-path-ipsec-9nodes - - --variant=aws-4.20-nightly-x86 - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 0 24 * * @@ -5060,92 +4888,6 @@ periodics: - name: result-aggregator secret: secretName: result-aggregator -- agent: kubernetes - cluster: build09 - cron: 0 2 8,22 * * - decorate: true - decoration_config: - skip_cloning: true - extra_refs: - - base_ref: main - org: openshift-eng - repo: ocp-qe-perfscale-ci - labels: - ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe - ci-operator.openshift.io/variant: aws-4.21-nightly-x86 - ci.openshift.io/generator: prowgen - job-release: "4.21" - pj-rehearse.openshift.io/can-be-rehearsed: "true" - name: periodic-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.21-nightly-x86-data-path-ipsec-9nodes - reporter_config: - slack: - channel: '#ocp-qe-scale-ci-results' - job_states_to_report: - - success - - failure - - error - report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job *{{.Spec.Job}}* - ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> :white_check_mark: - {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View - logs> :warning: {{end}}' - spec: - containers: - - args: - - --gcs-upload-secret=/secrets/gcs/service-account.json - - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson - - --lease-server-credentials-file=/etc/boskos/credentials - - --report-credentials-file=/etc/report/credentials - - --secret-dir=/secrets/ci-pull-credentials - - --target=data-path-ipsec-9nodes - - --variant=aws-4.21-nightly-x86 - command: - - ci-operator - image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest - imagePullPolicy: Always - name: "" - resources: - requests: - cpu: 10m - volumeMounts: - - mountPath: /etc/boskos - name: boskos - readOnly: true - - mountPath: /secrets/ci-pull-credentials - name: ci-pull-credentials - readOnly: true - - mountPath: /secrets/gcs - name: gcs-credentials - readOnly: true - - mountPath: /secrets/manifest-tool - name: manifest-tool-local-pusher - readOnly: true - - mountPath: /etc/pull-secret - name: pull-secret - readOnly: true - - mountPath: /etc/report - name: result-aggregator - readOnly: true - serviceAccountName: ci-operator - volumes: - - name: boskos - secret: - items: - - key: credentials - path: credentials - secretName: boskos-credentials - - name: ci-pull-credentials - secret: - secretName: ci-pull-credentials - - name: manifest-tool-local-pusher - secret: - secretName: manifest-tool-local-pusher - - name: pull-secret - secret: - secretName: registry-pull-credentials - - name: result-aggregator - secret: - secretName: result-aggregator - agent: kubernetes cluster: build09 cron: 0 12 24 * * diff --git a/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml b/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml index 5887e175bc2bd..ed24eefb984e7 100644 --- a/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml +++ b/ci-operator/jobs/openshift-eng/ocp-qe-perfscale-ci/openshift-eng-ocp-qe-perfscale-ci-main-presubmits.yaml @@ -1611,6 +1611,94 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )(aws-4.19-nightly-x86-cpou-loaded-upgrade-from-4.17-loaded-upgrade-ipsec-417to419-120nodes|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build10 + context: ci/prow/aws-4.19-nightly-x86-data-path-ipsec-9nodes + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe + ci-operator.openshift.io/variant: aws-4.19-nightly-x86 + ci.openshift.io/generator: prowgen + job-release: "4.19" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.19-nightly-x86-data-path-ipsec-9nodes + reporter_config: + slack: + channel: '#ocp-qe-scale-ci-results' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job + *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> + :white_check_mark: {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. + <{{.Status.URL}}|View logs> :warning: {{end}}' + rerun_command: /test aws-4.19-nightly-x86-data-path-ipsec-9nodes + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=data-path-ipsec-9nodes + - --variant=aws-4.19-nightly-x86 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )aws-4.19-nightly-x86-data-path-ipsec-9nodes,?($|\s.*) - agent: kubernetes always_run: false branches: @@ -3008,6 +3096,94 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )(aws-4.20-nightly-x86-control-plane-3nodes|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build10 + context: ci/prow/aws-4.20-nightly-x86-data-path-ipsec-9nodes + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe + ci-operator.openshift.io/variant: aws-4.20-nightly-x86 + ci.openshift.io/generator: prowgen + job-release: "4.20" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.20-nightly-x86-data-path-ipsec-9nodes + reporter_config: + slack: + channel: '#ocp-qe-scale-ci-results' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job + *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> + :white_check_mark: {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. + <{{.Status.URL}}|View logs> :warning: {{end}}' + rerun_command: /test aws-4.20-nightly-x86-data-path-ipsec-9nodes + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=data-path-ipsec-9nodes + - --variant=aws-4.20-nightly-x86 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )aws-4.20-nightly-x86-data-path-ipsec-9nodes,?($|\s.*) - agent: kubernetes always_run: false branches: @@ -4680,6 +4856,94 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )(aws-4.21-nightly-x86-control-plane-3nodes|remaining-required),?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^main$ + - ^main- + cluster: build10 + context: ci/prow/aws-4.21-nightly-x86-data-path-ipsec-9nodes + decorate: true + decoration_config: + skip_cloning: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-perfscale-qe + ci-operator.openshift.io/variant: aws-4.21-nightly-x86 + ci.openshift.io/generator: prowgen + job-release: "4.21" + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-eng-ocp-qe-perfscale-ci-main-aws-4.21-nightly-x86-data-path-ipsec-9nodes + reporter_config: + slack: + channel: '#ocp-qe-scale-ci-results' + job_states_to_report: + - success + - failure + - error + report_template: '{{if eq .Status.State "success"}} :white_check_mark: Job + *{{.Spec.Job}}* ended with *{{.Status.State}}*. <{{.Status.URL}}|View logs> + :white_check_mark: {{else}} :warning: Job *{{.Spec.Job}}* ended with *{{.Status.State}}*. + <{{.Status.URL}}|View logs> :warning: {{end}}' + rerun_command: /test aws-4.21-nightly-x86-data-path-ipsec-9nodes + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=data-path-ipsec-9nodes + - --variant=aws-4.21-nightly-x86 + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )aws-4.21-nightly-x86-data-path-ipsec-9nodes,?($|\s.*) - agent: kubernetes always_run: false branches: diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/OWNERS b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-commands.sh b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-commands.sh new file mode 100644 index 0000000000000..cae83f13af96e --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-commands.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +echo "Cleaning up egress IP test resources" + +# Load test configuration if available +if [[ -f "$SHARED_DIR/egress-namespace" ]]; then + TEST_NAMESPACE=$(cat "$SHARED_DIR/egress-namespace") +else + TEST_NAMESPACE="egress-ip-test" +fi + +if [[ -f "$SHARED_DIR/egress-node" ]]; then + EGRESS_NODE=$(cat "$SHARED_DIR/egress-node") +fi + +echo "Cleaning up test namespace: $TEST_NAMESPACE" + +# Set error handling to continue on failures during cleanup +set +e + +# Delete EgressIP custom resource +echo "Removing EgressIP custom resource..." +oc delete egressip egress-ip-test --ignore-not-found=true + +# Delete test namespace +echo "Removing test namespace..." +oc delete namespace "$TEST_NAMESPACE" --ignore-not-found=true + +# Remove egress assignable label from node +if [[ -n "${EGRESS_NODE:-}" ]]; then + echo "Removing egress-assignable label from node: $EGRESS_NODE" + oc label node "$EGRESS_NODE" k8s.ovn.org/egress-assignable- --ignore-not-found=true +fi + +# Clean up any leftover validation resources +echo "Cleaning up validation resources..." +oc delete namespace regular-test --ignore-not-found=true + +# Clean up shared directory files +echo "Removing shared configuration files..." +rm -f "$SHARED_DIR/egress-ip" "$SHARED_DIR/egress-node" "$SHARED_DIR/egress-namespace" + +echo "Egress IP cleanup completed" \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.metadata.json b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.metadata.json new file mode 100644 index 0000000000000..b25c761658abc --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.yaml b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.yaml new file mode 100644 index 0000000000000..945dd66f8a250 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-cleanup/openshift-qe-egress-ip-cleanup-ref.yaml @@ -0,0 +1,14 @@ +ref: + as: openshift-qe-egress-ip-cleanup + from_image: + namespace: ocp + name: "4.18" + tag: cli + commands: openshift-qe-egress-ip-cleanup-commands.sh + resources: + requests: + cpu: 10m + memory: 100Mi + documentation: |- + Clean up egress IP test resources and configuration. + Removes EgressIP custom resources, test namespaces, and node labels. \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-scale/OWNERS b/ci-operator/step-registry/openshift-qe/egress-ip-scale/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-scale/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.metadata.json b/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.metadata.json new file mode 100644 index 0000000000000..12af6ccf3c9e5 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.yaml b/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.yaml new file mode 100644 index 0000000000000..44d07a5691e44 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-scale/openshift-qe-egress-ip-scale-chain.yaml @@ -0,0 +1,19 @@ +chain: + as: openshift-qe-egress-ip-scale + steps: + - ref: openshift-qe-egress-ip-setup + - ref: redhat-chaos-power-outage + - ref: redhat-chaos-node-disruptions-worker-outage + - ref: redhat-chaos-pod-network-chaos + - ref: openshift-qe-egress-ip-validate + - ref: openshift-qe-egress-ip-cleanup + env: + - name: TELEMETRY_ENABLED + default: "false" + - name: ENABLE_ALERTS + default: "false" + documentation: |- + Comprehensive egress IP scale testing with chaos engineering scenarios. + Uses Huiran's proven methodology for validation combined with krkn chaos testing. + Includes power outages, node network chaos, and pod network chaos with validation + steps between each chaos scenario. Suitable for 10+ node clusters. \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-setup/OWNERS b/ci-operator/step-registry/openshift-qe/egress-ip-setup/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-setup/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-commands.sh b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-commands.sh new file mode 100644 index 0000000000000..9cbe5d59739f7 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-commands.sh @@ -0,0 +1,87 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +echo "Setting up egress IP configuration using Huiran's proven methodology" + +# Detect the CNI type +RUNNING_CNI=$(oc get network.operator cluster -o=jsonpath='{.spec.defaultNetwork.type}') +echo "Detected CNI: $RUNNING_CNI" + +# Get a worker node for egress IP assignment +WORKER_NODE=$(oc get nodes --selector="node-role.kubernetes.io/worker" -o jsonpath='{.items[0].metadata.name}') +echo "Selected worker node: $WORKER_NODE" + +# Create test namespace +TEST_NAMESPACE=${TEST_NAMESPACE:-"egress-ip-test"} +echo "Creating test namespace: $TEST_NAMESPACE" +oc create namespace "$TEST_NAMESPACE" || true + +if [[ $RUNNING_CNI == "OVNKubernetes" ]]; then + echo "Configuring OVNKubernetes egress IP" + + # Label the node as egress assignable + oc label node --overwrite "$WORKER_NODE" k8s.ovn.org/egress-assignable= + + # Extract egress IP range from node annotations + egress_cidrs=$(oc get node "$WORKER_NODE" -o jsonpath="{.metadata.annotations.cloud\.network\.openshift\.io/egress-ipconfig}" | jq -r '.[].ifaddr.ipv4') + ip_part=$(echo "$egress_cidrs" | cut -d'/' -f1) + egress_ip="${ip_part%.*}.10" # Use .10 instead of .5 to avoid conflicts + + echo "Egress IP CIDR: $egress_cidrs" + echo "Assigned egress IP: $egress_ip" + + # Create EgressIP custom resource + cat </dev/null || echo "") + if [[ -n "$status" ]]; then + echo "EgressIP successfully assigned to node: $status" + break + fi + echo "Waiting for EgressIP assignment... (attempt $i/60)" + sleep 5 + done + + # Verify assignment + assigned_node=$(oc get egressip egress-ip-test -o jsonpath='{.status.items[*].node}' 2>/dev/null || echo "") + if [[ -z "$assigned_node" ]]; then + echo "ERROR: EgressIP failed to assign to any node" + oc get egressip egress-ip-test -o yaml + exit 1 + fi + + echo "EgressIP configuration completed successfully" + echo "Egress IP: $egress_ip assigned to node: $assigned_node" + + # Save configuration for validation steps + echo "$egress_ip" > "$SHARED_DIR/egress-ip" + echo "$assigned_node" > "$SHARED_DIR/egress-node" + echo "$TEST_NAMESPACE" > "$SHARED_DIR/egress-namespace" + +elif [[ $RUNNING_CNI == "OpenShiftSDN" ]]; then + echo "OpenShiftSDN configuration not implemented in this version" + echo "This test focuses on OVNKubernetes clusters" + exit 1 +else + echo "Unsupported CNI type: $RUNNING_CNI" + exit 1 +fi + +echo "Egress IP setup completed successfully" \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.metadata.json b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.metadata.json new file mode 100644 index 0000000000000..9bccf2ab24ad7 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.yaml b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.yaml new file mode 100644 index 0000000000000..8779c73d7e6b0 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-setup/openshift-qe-egress-ip-setup-ref.yaml @@ -0,0 +1,15 @@ +ref: + as: openshift-qe-egress-ip-setup + from_image: + namespace: ocp + name: "4.18" + tag: cli + commands: openshift-qe-egress-ip-setup-commands.sh + resources: + requests: + cpu: 10m + memory: 100Mi + documentation: |- + Setup egress IP configuration for testing based on Huiran's proven methodology. + This step configures EgressIP custom resources and validates proper assignment + using internal cluster routing validation instead of external services. \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-validate/OWNERS b/ci-operator/step-registry/openshift-qe/egress-ip-validate/OWNERS new file mode 120000 index 0000000000000..ec405d65a79df --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-validate/OWNERS @@ -0,0 +1 @@ +../OWNERS \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-commands.sh b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-commands.sh new file mode 100644 index 0000000000000..8c74152ce7169 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-commands.sh @@ -0,0 +1,153 @@ +#!/bin/bash + +set -o nounset +set -o errexit +set -o pipefail + +echo "Validating egress IP configuration using internal routing verification" + +# Load saved configuration +if [[ ! -f "$SHARED_DIR/egress-ip" ]] || [[ ! -f "$SHARED_DIR/egress-node" ]] || [[ ! -f "$SHARED_DIR/egress-namespace" ]]; then + echo "ERROR: Egress IP configuration not found. Setup step may have failed." + exit 1 +fi + +EGRESS_IP=$(cat "$SHARED_DIR/egress-ip") +EGRESS_NODE=$(cat "$SHARED_DIR/egress-node") +TEST_NAMESPACE=$(cat "$SHARED_DIR/egress-namespace") + +echo "Validating egress IP: $EGRESS_IP on node: $EGRESS_NODE for namespace: $TEST_NAMESPACE" + +# Validate EgressIP CR configuration (Huiran's method) +validate_egressip_cr() { + echo "Validating EgressIP custom resource configuration..." + + # Get current EgressIP configuration + current_config_unformatted=$(oc get egressip egress-ip-test -o json | jq .spec) + current_config="$(echo -e "${current_config_unformatted}" | tr -d '[:space:]')" + + # Get the node where EgressIP is assigned + egressIP_node=$(oc get egressip egress-ip-test -o jsonpath='{.status.items[*].node}') + + # Extract expected egress CIDR from node annotations + expected_egressCIDRs=$(oc get node "$egressIP_node" -o jsonpath="{.metadata.annotations.cloud\.network\.openshift\.io/egress-ipconfig}" | jq -r '.[].ifaddr.ipv4') + ip_part=$(echo "$expected_egressCIDRs" | cut -d'/' -f1) + expected_egressIP="${ip_part%.*}.10" # Match the IP we assigned + + # Build expected configuration + expected_config="{\"egressIPs\":[\"$expected_egressIP\"],\"namespaceSelector\":{\"matchLabels\":{\"kubernetes.io/metadata.name\":\"$TEST_NAMESPACE\"}}}" + + echo "Current config: $current_config" + echo "Expected config: $expected_config" + + if diff <(echo "$current_config") <(echo "$expected_config"); then + echo "✓ EgressIP CR configuration validation PASSED" + return 0 + else + echo "✗ EgressIP CR configuration validation FAILED" + return 1 + fi +} + +# Validate EgressIP assignment and status +validate_egressip_assignment() { + echo "Validating EgressIP assignment status..." + + # Check if EgressIP is assigned + assigned_node=$(oc get egressip egress-ip-test -o jsonpath='{.status.items[*].node}' 2>/dev/null || echo "") + + if [[ -z "$assigned_node" ]]; then + echo "✗ EgressIP assignment validation FAILED - no node assigned" + oc get egressip egress-ip-test -o yaml + return 1 + fi + + echo "✓ EgressIP successfully assigned to node: $assigned_node" + + # Verify the assigned IP matches expectation + assigned_ip=$(oc get egressip egress-ip-test -o jsonpath='{.status.items[*].egressIP}') + if [[ "$assigned_ip" == "$EGRESS_IP" ]]; then + echo "✓ EgressIP assignment validation PASSED - IP: $assigned_ip" + return 0 + else + echo "✗ EgressIP assignment validation FAILED - Expected: $EGRESS_IP, Got: $assigned_ip" + return 1 + fi +} + +# Test internal routing behavior +validate_internal_routing() { + echo "Validating internal routing behavior..." + + # Create test pods in both egress-enabled and regular namespaces + echo "Creating test pods for routing validation..." + + # Pod in egress-enabled namespace + oc run test-egress-pod --image=quay.io/openshifttest/hello-sdn:latest --restart=Never -n "$TEST_NAMESPACE" -- sleep 3600 + + # Pod in regular namespace for comparison + oc create namespace regular-test || true + oc run test-regular-pod --image=quay.io/openshifttest/hello-sdn:latest --restart=Never -n regular-test -- sleep 3600 + + # Wait for pods to be ready + echo "Waiting for test pods to be ready..." + oc wait --for=condition=Ready pod/test-egress-pod -n "$TEST_NAMESPACE" --timeout=120s + oc wait --for=condition=Ready pod/test-regular-pod -n regular-test --timeout=120s + + # Get pod details for verification + egress_pod_node=$(oc get pod test-egress-pod -n "$TEST_NAMESPACE" -o jsonpath='{.spec.nodeName}') + regular_pod_node=$(oc get pod test-regular-pod -n regular-test -o jsonpath='{.spec.nodeName}') + + echo "Egress pod on node: $egress_pod_node" + echo "Regular pod on node: $regular_pod_node" + echo "EgressIP assigned to node: $EGRESS_NODE" + + # Test connectivity between pods (internal routing validation) + echo "Testing internal pod-to-pod connectivity..." + + regular_pod_ip=$(oc get pod test-regular-pod -n regular-test -o jsonpath='{.status.podIP}') + + # Test connectivity from egress pod to regular pod + if oc exec test-egress-pod -n "$TEST_NAMESPACE" -- curl -s --connect-timeout 10 "$regular_pod_ip:8080" > /dev/null; then + echo "✓ Internal routing validation PASSED - egress pod can reach regular pod" + else + echo "✗ Internal routing validation FAILED - connectivity issue" + return 1 + fi + + echo "✓ Internal routing behavior validated successfully" + return 0 +} + +# Cleanup test resources +cleanup_validation_resources() { + echo "Cleaning up validation test resources..." + set +e # Don't fail on cleanup errors + oc delete pod test-egress-pod -n "$TEST_NAMESPACE" --ignore-not-found=true + oc delete pod test-regular-pod -n regular-test --ignore-not-found=true + oc delete namespace regular-test --ignore-not-found=true + set -e +} + +# Main validation sequence +VALIDATION_ERRORS=0 + +echo "=== Starting egress IP validation ===" + +# Run validation checks +validate_egressip_cr || ((VALIDATION_ERRORS++)) +validate_egressip_assignment || ((VALIDATION_ERRORS++)) +validate_internal_routing || ((VALIDATION_ERRORS++)) + +# Cleanup +cleanup_validation_resources + +echo "=== Validation completed ===" + +if [[ $VALIDATION_ERRORS -eq 0 ]]; then + echo "✓ All egress IP validations PASSED" + exit 0 +else + echo "✗ $VALIDATION_ERRORS validation(s) FAILED" + exit 1 +fi \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.metadata.json b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.metadata.json new file mode 100644 index 0000000000000..cf7f63f33d6f1 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.yaml b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.yaml new file mode 100644 index 0000000000000..215868834b2e8 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip-validate/openshift-qe-egress-ip-validate-ref.yaml @@ -0,0 +1,15 @@ +ref: + as: openshift-qe-egress-ip-validate + from_image: + namespace: ocp + name: "4.18" + tag: cli + commands: openshift-qe-egress-ip-validate-commands.sh + resources: + requests: + cpu: 100m + memory: 200Mi + documentation: |- + Validate egress IP functionality using internal routing verification. + This step uses Huiran's proven methodology to test egress IP assignment + and routing behavior without relying on external services. \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip/OWNERS b/ci-operator/step-registry/openshift-qe/egress-ip/OWNERS new file mode 100644 index 0000000000000..e2cde59e126c1 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip/OWNERS @@ -0,0 +1,4 @@ +approvers: +- perfscale-ocp-approvers +reviewers: +- perfscale-ocp-reviewers \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.metadata.json b/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.metadata.json new file mode 100644 index 0000000000000..28bf9cfc12ad4 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/egress-ip/openshift-qe-egress-ip-chain.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.yaml b/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.yaml new file mode 100644 index 0000000000000..e12772b5a4941 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/egress-ip/openshift-qe-egress-ip-chain.yaml @@ -0,0 +1,10 @@ +chain: + as: openshift-qe-egress-ip + steps: + - ref: openshift-qe-egress-ip-setup + - ref: openshift-qe-egress-ip-validate + - ref: openshift-qe-egress-ip-cleanup + documentation: |- + Basic egress IP functionality testing chain using Huiran's proven methodology. + This chain sets up egress IP configuration and validates it using internal + routing verification instead of external services. Suitable for 3-node clusters. \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/network-perf-ipsec/OWNERS b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/OWNERS new file mode 100644 index 0000000000000..0b91d9fc0b75f --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/OWNERS @@ -0,0 +1,4 @@ +approvers: +- perfscale-ocp-approvers +reviewers: +- perfscale-ocp-reviewers diff --git a/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-commands.sh b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-commands.sh new file mode 100755 index 0000000000000..184e740287444 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-commands.sh @@ -0,0 +1,332 @@ +#!/bin/bash +set -euxo pipefail + +echo "=== IPSec Network Performance Test with Verification ===" +echo "Timestamp: $(date)" + +# Create directories for logging and artifacts +mkdir -p /tmp/ipsec-verification-artifacts +mkdir -p /tmp/ipsec-verification-logs + +echo "=== Installing Git Dependency ===" +# Try installing git with sudo first, then fallback to alternatives +if command -v sudo &> /dev/null; then + if command -v yum &> /dev/null; then + sudo yum install -y git && echo "Git installed via sudo yum" + elif command -v apt-get &> /dev/null; then + sudo apt-get update && sudo apt-get install -y git && echo "Git installed via sudo apt-get" + elif command -v apk &> /dev/null; then + sudo apk add --no-cache git && echo "Git installed via sudo apk" + fi +fi + +# If sudo installation failed, try without sudo +if ! command -v git &> /dev/null; then + echo "Trying installation without sudo..." + if command -v yum &> /dev/null; then + yum install -y git 2>/dev/null && echo "Git installed via yum" + elif command -v apt-get &> /dev/null; then + apt-get update && apt-get install -y git 2>/dev/null && echo "Git installed via apt-get" + elif command -v apk &> /dev/null; then + apk add --no-cache git 2>/dev/null && echo "Git installed via apk" + fi +fi + +# If git still not available, try downloading a static binary +if ! command -v git &> /dev/null; then + echo "Attempting to download static git binary..." + mkdir -p /tmp/git-static + cd /tmp/git-static + + # Download static git binary for Linux x86_64 + if command -v curl &> /dev/null; then + curl -L -o git-static.tar.xz "https://github.com/git/git/releases/download/v2.41.0/git-2.41.0.tar.xz" 2>/dev/null || echo "Could not download git" + elif command -v wget &> /dev/null; then + wget -O git-static.tar.xz "https://github.com/git/git/releases/download/v2.41.0/git-2.41.0.tar.xz" 2>/dev/null || echo "Could not download git" + fi + + # Alternative: try to get git from busybox or other minimal sources + if ! command -v git &> /dev/null && command -v apk &> /dev/null; then + apk add --no-cache git --force 2>/dev/null || echo "Force install failed" + fi + + cd /tmp +fi + +# Final fallback: check if git is available in alternative paths +if ! command -v git &> /dev/null; then + echo "Searching for git in alternative locations..." + find /usr /opt /bin 2>/dev/null | grep -E "bin/git$" | head -1 | while read gitpath; do + if [ -x "$gitpath" ]; then + ln -sf "$gitpath" /usr/local/bin/git 2>/dev/null || echo "Could not link git" + fi + done +fi + +# Verify git installation +if command -v git &> /dev/null; then + git --version | tee /tmp/ipsec-verification-artifacts/git-version.log + echo "Git successfully installed" +else + echo "WARNING: Git not available, test may fail" +fi + +echo "=== Collecting Cluster Information ===" +oc get infrastructure cluster -o yaml > /tmp/ipsec-verification-artifacts/cluster-info.yaml 2>&1 || echo "Could not get cluster info" + +echo "=== Checking IPSec Configuration ===" +oc get network.operator.openshift.io cluster -o yaml | grep -A10 -B5 ipsec > /tmp/ipsec-verification-artifacts/ipsec-config.yaml 2>&1 || echo "No IPSec config found" + +IPSEC_MODE=$(oc get network.operator.openshift.io cluster -o jsonpath='{.spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig.mode}' 2>/dev/null || echo "Not configured") +echo "IPSec Mode: $IPSEC_MODE" | tee /tmp/ipsec-verification-artifacts/ipsec-mode.log + +echo "=== Checking IPSec Pods ===" +oc get pods -n openshift-ovn-kubernetes | grep ipsec > /tmp/ipsec-verification-artifacts/ipsec-pods.log 2>&1 || echo "No IPSec pods found" +IPSEC_POD_COUNT=$(oc get pods -n openshift-ovn-kubernetes | grep ipsec | wc -l) +echo "IPSec pods running: $IPSEC_POD_COUNT" | tee -a /tmp/ipsec-verification-artifacts/ipsec-pods.log + +# Get primary worker node for monitoring +WORKER_NODE=$(oc get nodes --no-headers | grep worker | head -1 | awk '{print $1}' || echo "no-worker-found") +echo "Primary monitoring node: $WORKER_NODE" | tee /tmp/ipsec-verification-artifacts/monitoring-node.log + +if [ "$WORKER_NODE" != "no-worker-found" ]; then + echo "=== Starting Packet Captures on $WORKER_NODE ===" + + # Start ESP packet capture (encrypted traffic) + echo "Starting ESP packet capture..." + timeout 1800 oc debug node/$WORKER_NODE -- chroot /host tcpdump -i any -w /tmp/esp-packets.pcap esp > /tmp/ipsec-verification-logs/esp-capture.log 2>&1 & + ESP_PID=$! + echo "ESP capture started, PID: $ESP_PID" + + # Start general traffic capture for comparison + echo "Starting general traffic capture..." + timeout 1800 oc debug node/$WORKER_NODE -- chroot /host tcpdump -i any -c 500 -w /tmp/general-traffic.pcap > /tmp/ipsec-verification-logs/general-capture.log 2>&1 & + GENERAL_PID=$! + echo "General capture started, PID: $GENERAL_PID" + + # Give captures time to start + sleep 5 +else + echo "WARNING: No worker node found for packet capture" +fi + +echo "=== Setting Up E2E Benchmarking Environment ===" +# Create python virtual environment in /tmp where we have write permissions +python3 -m venv /tmp/venv_qe +source /tmp/venv_qe/bin/activate + +# Get credentials +ES_PASSWORD=$(cat /secret/password 2>/dev/null || echo "no-password") +ES_USERNAME=$(cat /secret/username 2>/dev/null || echo "no-username") + +export ES_PASSWORD ES_USERNAME + +# Download e2e-benchmarking repository +LATEST_TAG=$(curl -s https://api.github.com/repos/cloud-bulldozer/e2e-benchmarking/releases/latest | jq -r .tag_name 2>/dev/null || echo "v2.7.1") + +echo "Downloading e2e-benchmarking ${LATEST_TAG}..." | tee /tmp/ipsec-verification-artifacts/repo-clone.log + +# Skip git entirely and use curl/wget for more reliability in CI environment +echo "Using direct download method for better CI compatibility..." | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log +GIT_FAILED=true + +# If git failed or not available, use curl/wget +if [ "$GIT_FAILED" = "true" ]; then + # Try using curl to download and extract the repository + ARCHIVE_URL="https://github.com/cloud-bulldozer/e2e-benchmarking/archive/refs/tags/${LATEST_TAG}.tar.gz" + echo "Attempting to download ${ARCHIVE_URL}" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + + if command -v curl &> /dev/null; then + cd /tmp + curl -L -o e2e-benchmarking.tar.gz "$ARCHIVE_URL" 2>&1 | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + if [ -f e2e-benchmarking.tar.gz ]; then + tar -xzf e2e-benchmarking.tar.gz 2>&1 | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + mv e2e-benchmarking-* e2e-benchmarking 2>/dev/null || echo "Repository directory rename failed" + echo "Repository downloaded and extracted via curl" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + fi + elif command -v wget &> /dev/null; then + cd /tmp + wget -O e2e-benchmarking.tar.gz "$ARCHIVE_URL" 2>&1 | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + if [ -f e2e-benchmarking.tar.gz ]; then + tar -xzf e2e-benchmarking.tar.gz 2>&1 | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + mv e2e-benchmarking-* e2e-benchmarking 2>/dev/null || echo "Repository directory rename failed" + echo "Repository downloaded and extracted via wget" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + fi + else + echo "ERROR: Neither git, curl, nor wget available for repository download" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + exit 1 + fi +fi + +# Verify repository was downloaded +if [ ! -d "/tmp/e2e-benchmarking" ]; then + echo "ERROR: Failed to obtain e2e-benchmarking repository" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log + exit 1 +else + echo "Repository successfully obtained" | tee -a /tmp/ipsec-verification-artifacts/repo-clone.log +fi + +cd /tmp/e2e-benchmarking + +# Install requirements if available +if [ -f requirements.txt ]; then + echo "Installing Python requirements..." + pip install -r requirements.txt > /tmp/ipsec-verification-artifacts/pip-install.log 2>&1 || echo "Some requirements failed to install" +fi + +echo "=== Finding Network Performance Test Directory ===" +if [ -d "workloads/network-perf" ]; then + cd workloads/network-perf + echo "Using workloads/network-perf" +elif [ -d "workloads/k8s-netperf" ]; then + cd workloads/k8s-netperf + echo "Using workloads/k8s-netperf" +else + echo "Searching for network performance test directory..." + find . -name "*netperf*" -type d | tee /tmp/ipsec-verification-artifacts/netperf-dirs.log + NETPERF_DIR=$(find . -name "*netperf*" -type d | head -1) + if [ ! -z "$NETPERF_DIR" ]; then + cd "$NETPERF_DIR" + echo "Using directory: $NETPERF_DIR" + else + echo "ERROR: No network performance test directory found" + ls -la workloads/ | tee -a /tmp/ipsec-verification-artifacts/netperf-dirs.log + exit 1 + fi +fi + +echo "=== Starting Network Performance Test ===" +echo "Test start time: $(date)" | tee /tmp/ipsec-verification-artifacts/test-start.log +echo "Current directory: $(pwd)" | tee -a /tmp/ipsec-verification-artifacts/test-start.log +ls -la | tee -a /tmp/ipsec-verification-artifacts/test-start.log + +# Run the network performance test +if [ -f "run.py" ]; then + echo "Running Python test script..." + python3 -u ./run.py > /tmp/ipsec-verification-artifacts/netperf-output.log 2>&1 & + NETPERF_PID=$! +elif [ -f "run.sh" ]; then + echo "Running shell test script..." + bash ./run.sh > /tmp/ipsec-verification-artifacts/netperf-output.log 2>&1 & + NETPERF_PID=$! +else + echo "ERROR: No run script found" + ls -la | tee /tmp/ipsec-verification-artifacts/test-start.log + exit 1 +fi + +echo "NetPerf test started, PID: $NETPERF_PID" + +# Monitor test progress +echo "=== Monitoring Test Progress ===" +sleep 30 # Give test time to start + +for i in {1..10}; do + echo "--- Progress check $i at $(date) ---" | tee -a /tmp/ipsec-verification-artifacts/progress.log + + # Check for netperf pods + oc get pods | grep netperf | head -5 | tee -a /tmp/ipsec-verification-artifacts/progress.log || echo "No netperf pods yet" + + # If we have netperf pods and a worker node, capture their specific traffic + if [ "$WORKER_NODE" != "no-worker-found" ]; then + NETPERF_PODS=$(oc get pods --no-headers | grep netperf | awk '{print $1}' | head -2) + if [ ! -z "$NETPERF_PODS" ]; then + echo "Found netperf pods, capturing traffic..." | tee -a /tmp/ipsec-verification-artifacts/progress.log + POD1=$(echo "$NETPERF_PODS" | head -1) + POD2=$(echo "$NETPERF_PODS" | tail -1) + + if [ "$POD1" != "$POD2" ]; then + POD1_IP=$(oc get pod $POD1 -o jsonpath='{.status.podIP}' 2>/dev/null || echo "") + POD2_IP=$(oc get pod $POD2 -o jsonpath='{.status.podIP}' 2>/dev/null || echo "") + + if [ ! -z "$POD1_IP" ] && [ ! -z "$POD2_IP" ]; then + echo "Pod IPs: $POD1_IP <-> $POD2_IP" | tee -a /tmp/ipsec-verification-artifacts/progress.log + + # Quick pod-to-pod traffic capture + timeout 30 oc debug node/$WORKER_NODE -- chroot /host tcpdump -i any -c 10 -w /tmp/pod-traffic-$i.pcap "host $POD1_IP and host $POD2_IP" > /tmp/ipsec-verification-logs/pod-capture-$i.log 2>&1 & + + # Test connectivity + oc exec $POD1 -- ping -c 3 $POD2_IP >> /tmp/ipsec-verification-artifacts/progress.log 2>&1 || echo "Ping test failed" + fi + fi + break # Found pods, no need to keep checking + fi + fi + + # Check if test is still running + if ! kill -0 $NETPERF_PID 2>/dev/null; then + echo "NetPerf test completed" | tee -a /tmp/ipsec-verification-artifacts/progress.log + break + fi + + sleep 60 +done + +# Wait for test completion +echo "=== Waiting for Test Completion ===" +wait $NETPERF_PID 2>/dev/null || NETPERF_EXIT_CODE=$? +echo "NetPerf test completed with exit code: ${NETPERF_EXIT_CODE:-0}" | tee /tmp/ipsec-verification-artifacts/test-completion.log +echo "Test completion time: $(date)" | tee -a /tmp/ipsec-verification-artifacts/test-completion.log + +# Stop packet captures +if [ "$WORKER_NODE" != "no-worker-found" ]; then + echo "=== Stopping Packet Captures ===" + kill $ESP_PID 2>/dev/null || echo "ESP capture already stopped" + kill $GENERAL_PID 2>/dev/null || echo "General capture already stopped" + + # Collect final IPSec status + echo "=== Collecting Final IPSec Status ===" + oc debug node/$WORKER_NODE -- chroot /host ipsec status > /tmp/ipsec-verification-artifacts/final-ipsec-status.log 2>&1 || echo "IPSec status command failed" + oc debug node/$WORKER_NODE -- chroot /host ipsec trafficstatus > /tmp/ipsec-verification-artifacts/final-ipsec-traffic.log 2>&1 || echo "IPSec traffic status command failed" + oc debug node/$WORKER_NODE -- chroot /host ip xfrm state > /tmp/ipsec-verification-artifacts/final-xfrm-state.log 2>&1 || echo "XFRM state command failed" + + # List packet capture files + oc debug node/$WORKER_NODE -- chroot /host ls -la /tmp/*.pcap > /tmp/ipsec-verification-artifacts/pcap-files.log 2>&1 || echo "No pcap files found" +fi + +# Create analysis summary +echo "=== Creating Analysis Summary ===" +cat > /tmp/ipsec-verification-artifacts/ENCRYPTION-ANALYSIS.md << EOF +# IPSec Encryption Analysis Report + +**Generated:** $(date) +**Cluster:** $(oc get infrastructure cluster -o jsonpath='{.status.apiServerURL}' 2>/dev/null || echo "Unknown") +**IPSec Mode:** $IPSEC_MODE +**Worker Node:** $WORKER_NODE +**IPSec Pods:** $IPSEC_POD_COUNT running + +## Test Execution +- Network performance test completed with exit code: ${NETPERF_EXIT_CODE:-0} +- Packet captures collected during test execution +- IPSec status and configuration logged + +## Critical Evidence Files +- \`esp-packets.pcap\` - ESP encrypted traffic (if present, IPSec is working) +- \`general-traffic.pcap\` - General network traffic for comparison +- \`pod-traffic-*.pcap\` - Specific pod-to-pod communication +- \`final-ipsec-status.log\` - IPSec daemon status and tunnels +- \`final-ipsec-traffic.log\` - IPSec traffic statistics +- \`netperf-output.log\` - Performance test results + +## Analysis Instructions for Dev Team +1. **Check for ESP packets:** If ESP protocol packets are found in captures, IPSec encryption is working +2. **Compare traffic types:** hostNetwork=true (unencrypted) vs hostNetwork=false (should be encrypted) +3. **Review IPSec status:** Active tunnels and traffic statistics indicate proper IPSec operation +4. **Performance correlation:** Link encryption overhead to observed performance regression + +## Key Questions Answered +- ✅ Is IPSec configured? $([ "$IPSEC_MODE" != "Not configured" ] && echo "YES ($IPSEC_MODE)" || echo "NO") +- ✅ Are IPSec pods running? $([ "$IPSEC_POD_COUNT" -gt 0 ] && echo "YES ($IPSEC_POD_COUNT pods)" || echo "NO") +- ✅ Packet captures available? $([ "$WORKER_NODE" != "no-worker-found" ] && echo "YES" || echo "NO - No worker node found") + +**Result:** $([ "$IPSEC_MODE" != "Not configured" ] && [ "$IPSEC_POD_COUNT" -gt 0 ] && echo "IPSec appears to be configured and running" || echo "IPSec configuration or deployment issue detected") +EOF + +# Final artifact summary +echo "=== Test Summary ===" | tee /tmp/ipsec-verification-artifacts/FINAL-SUMMARY.log +echo "IPSec verification test completed: $(date)" | tee -a /tmp/ipsec-verification-artifacts/FINAL-SUMMARY.log +echo "All artifacts saved to /tmp/ipsec-verification-artifacts/" | tee -a /tmp/ipsec-verification-artifacts/FINAL-SUMMARY.log +echo "Packet captures and analysis ready for dev team review" | tee -a /tmp/ipsec-verification-artifacts/FINAL-SUMMARY.log +ls -la /tmp/ipsec-verification-artifacts/ | tee -a /tmp/ipsec-verification-artifacts/FINAL-SUMMARY.log + +echo "=== IPSec Network Performance Test Completed ===" \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.metadata.json b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.metadata.json new file mode 100644 index 0000000000000..f9d9552507076 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.metadata.json @@ -0,0 +1,11 @@ +{ + "path": "openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.yaml", + "owners": { + "approvers": [ + "perfscale-ocp-approvers" + ], + "reviewers": [ + "perfscale-ocp-reviewers" + ] + } +} \ No newline at end of file diff --git a/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.yaml b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.yaml new file mode 100644 index 0000000000000..53a1f629f5dd0 --- /dev/null +++ b/ci-operator/step-registry/openshift-qe/network-perf-ipsec/openshift-qe-network-perf-ipsec-ref.yaml @@ -0,0 +1,40 @@ +ref: + as: openshift-qe-network-perf-ipsec + from_image: + namespace: ci + name: ocp-qe-perfscale-ci + tag: latest + cli: latest + timeout: 8h0m0s + commands: openshift-qe-network-perf-ipsec-commands.sh + credentials: + - namespace: test-credentials + name: ocp-qe-perfscale-es + mount_path: /secret + resources: + requests: + cpu: 100m + memory: 200Mi + env: + - name: ADDITIONAL_WORKER_NODES + default: "0" + documentation: |- + Additional worker nodes that will be added to the cluster + - name: EXTRA_FLAGS + default: "" + documentation: |- + Add args for e2e-benchmarking network performance tests + - name: E2E_VERSION + default: "default" + documentation: |- + Override the e2e version + documentation: |- + This step runs network performance testing with IPSec verification and packet capture logging. + It fixes the git dependency issue and provides comprehensive evidence of IPSec encryption status. + + The step: + 1. Installs git dependency to fix clone issues + 2. Runs k8s-netperf network performance tests + 3. Captures ESP packets to verify IPSec encryption + 4. Saves packet captures and analysis as artifacts + 5. Generates encryption analysis summary for dev teams \ No newline at end of file